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Final  Progress  Report 


1.  Forward 

This  final  progress  report  for  ARO  grant  #DAAD  19-02- 1-0304  entitled  “Coordinated 
Anomaly  Detection  and  Characterization  in  Wide  Area  Network  Flows”  was  conducted 
over  a  three  year  period  from  July,  2002  to  July,  2005.  While  the  initial  focus  of  the 
proposal  was  rather  narrow,  the  study  conducted  over  the  period  of  the  program  was 
wide-ranging  and  multifaceted.  Early  on,  the  focus  of  the  work  broadened  to  become  a 
comprehensive  study  of  malicious  activity  in  the  Internet.  Specific  research  projects 
were  conducted  on  (i)  characterizing  the  empirical  behavior  of  malicious  attacks  and 
intrusions  in  the  Internet,  (ii)  developing  tools  for  measuring  and  evaluating  attack  and 
intrusion  activity  in  the  Internet,  and  (iii)  developing  tools  to  improve  “Internet 
Situational  Awareness”.  Nine  technical  papers  were  published  in  the  most  prestigious 
and  highly  selective  Internet  measurement  and  security  related  conferences  as  a  direct 
result  from  support  from  this  grant,  and  two  US  patents  have  been  filed.  Furthermore,  the 
work  has  been  widely  cited  and  is  formed  the  foundation  for  a  large  body  of  research 
activity  both  at  the  University  of  Wisconsin  as  well  as  other  universities.  Finally,  the 
work  that  was  supported  from  this  grant  has  been  presented  in  a  wide  variety  of  venues 
including  research  labs,  universities,  workshops  and  conferences. 

2.  Statement  of  Problem  Studied 

The  ability  to  quickly  and  accurately  identify  anomalous  behavior  in  computer  networks 
is  essential  to  assure  that  they  perform  efficiently,  safely  and  reliably.  The  current 
standard  in  anomaly  detection  technology  is  autonomous  packet  level  analysis  that  uses 
simple  thresholds  or  rules  to  generate  alerts.  While  these  systems  are  effective  in 
detecting  and  identifying  some  types  of  anomalous  behavior,  networks  are  still  far  from 
being  robust  or  reliable.  In  this  project,  we  originally  set  out  to  pursue  research 
initiatives  aimed  at  developing  the  next  generation  of  anomaly  detection  infrastructures, 
methods  and  tools.  Shortly  after  beginning  this  work,  we  expanded  the  scope  of  the 
problem  space  to  include  empirical  measurement  and  analysis  of  malicious  traffic  in  the 
Internet  and  the  development  of  tools  and  systems  to  provide  “Internet  Situational 
Awareness”,  the  ability  to  scale  the  perspective  on  malicious  activity  to  a 
desired/required  level.  Prior  to  our  work,  the  canonical  systems  used  for  this  activity 
were  network  intrusion  detection  systems  (NIDS)  that  have  many  known  problems  but 
served  as  a  starting  point  for  some  of  our  efforts. 

3.  Summary  of  Most  Important  Results 

This  grant  supported  research  and  development  activities  that  are  summarized  as  follows: 


1 .  Wavelet-based  Anomaly  Detection.  We  developed  the  first  method  for  applying 
wavelets  to  the  problem  of  statistical  anomaly  detection  in  network  flow  data. 
Wavelets  are  powerful  tools  for  isolating  discontinuities  in  both  space  and  time. 

Using  a  unique  labeled  data  set  collected  at  the  University  of  Wisconsin,  we 
developed  a  method  for  applying  wavelets  to  flow  data  collected  from  our  campus 
border  router.  Our  results  show  that  our  wavelet-based  tool  is  extremely  effective  at 
isolating  anomalies.  We  continue  to  develop  these  techniques  in  follow-on  work. 

2.  Global  Characteristics  of  Internet  Attacks  and  Intrusions.  Using  the  firewall  and 
intrusion  logs  from  over  1,700  networks  worldwide  (provided  by  Dshield.org),  we 
conducted  the  first  global  analysis  of  Internet  intrusion  and  attack  activity.  Our 
results  show  that  these  activities  take  place  on  a  massive  scale  and  that  there  is  an 
increasing  trend  in  the  data.  The  results  also  laid  the  groundwork  for  our  DOMINO 
project  that  is  described  below.  A  follow-on  study  was  conducted  using  data 
collected  from  our  iSink  honeypot  system  (described  below).  This  study  coined  the 
term  “Internet  Background  Radiation”  for  the  unwanted  malicious  traffic  that  courses 
through  the  Internet  on  a  daily  basis  as  a  result  of  worms  and  other  malware. 

3.  Distributed  Overlay  for  Monitoring  InterNet  Outbreaks  (DOMINO).  DOMINO  is  a 
multifaceted  system  designed  to  use  intrusion  data  from  many  collaborating  sites  to 
generate  intrusion  alerts  in  an  accurate  and  timely  fashion.  The  system  is  based  on 
using  peer-to-peer  technology  to  facilitate  participation.  We  have  developed  the 
architecture  for  DOMINO  and  have  evaluated  its  effectiveness  analytically  from  the 
perspective  of  false  positive/negatives  and  on  response  time  to  identify  new  worm 
outbreaks.  Our  results  show  DOMINO  to  provide  vastly  superior  capabilities  when 
compared  to  intrusion  monitoring  systems  deployed  in  isolation.  Through  support 
from  the  ARO  DURIP  program,  we  are  in  the  process  of  building  an  instance  of 
DOMINO  in  the  live  Internet. 

4.  Internet  Sink  Monitors.  Internet  Sink’s  (iSink)  are  packet  monitors  deployed  on 
unused  but  routed  IP  address  space  that  include  the  ability  to  respond  to  incoming 
connection  requests.  These  so-called  active  honeypots  provide  a  unique  and 
extremely  valuable  perspective  on  malicious  activity.  The  unique  capability  of  iSink 
is  that  it  is  active  response  capability  is  scalable  and  is  not  based  on  virtual  machines 
as  are  most  other  honeypots.  We  are  able  to  monitor  an  entire  class  A  network  (16 
million  addresses)  on  a  single  PC.  ISink  data  has  been  used  in  a  number  of  our 
papers  and  continues  to  be  a  key  source  of  data  for  our  on-going  activities.  We  also 
filed  a  US  patent  on  i Sink’s  technology. 

5.  A  Framework  for  Malicious  Workload  Generation.  Any  system  that  is  developed  to 
detect  attacks  and  intrusions  needs  to  be  thoroughly  tested.  Any  such  tests  must  be 
based  on  known  ground  truth  in  order  to  fully  assess  the  overall  effectiveness  with 
respect  to  false  alarms  (both  positive  and  negative).  We  developed  an  architectural 
framework  for  malicious  workload  generation  that  enables  the  flexible  composition  of 
malicious  traffic  such  that  both  known  attacks  (such  as  the  Welchia  worm)  and  new 
attack  variants  can  be  realized.  We  realized  this  framework  in  a  tool  we  call  MACE 


which  we  have  enhanced  with  critical  the  ability  to  generate  representative  (from  the 
perspective  of  both  packet  headers  and  payloads)  benign  traffic  as  well. 

6.  Automatic  Semantic-Aware  Intrusion  Signature  Generation.  One  of  the  most 
significant  problems  with  current  NIDS  is  that  the  signatures  they  used  to  detect 
malicious  attacks  all  have  to  be  crafted  by  hand  after  a  new  attack  has  been 
recognized.  This  process  results  in  NIDS  that  have  extremely  high  false  alarm  rates. 
We  developed  a  process  for  automatically  generating  IDS  signatures  using  data 
collected  from  iSink  systems.  This  process  is  realized  in  a  tool  we  call  Nemean  that 
is  currently  a  prototype  that  can  be  used  for  off  line  tests.  In  our  evaluation  of 
Nemean’s  semantic-aware  signatures  showed  that  they  have  extremely  high  detection 
rates  with  almost  no  false  positive  alerts  and  do  significantly  better  than  the  canonical 
Snort  tool  in  similar  tests.  We  have  filed  a  US  patent  on  Nemean  technology  and 
intend  to  work  toward  deploying  this  capability  in  ARL. 
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